Forum Discussion
VinodS2020
Dec 05, 2023Brass Contributor
How to create Playbook and automation rules for M365 Defender for Identity, Endpoint, Cloud Apps, an
How to create Playbook and automation rules for M365 Defender for Identity, Endpoint, Cloud Apps, and Data as we wanted to do some automation around it to let SOAR work on the alerts which are on "Low", "Medium" severity alerts?
For example: if we have many alerts those should be verified by that respective automation rule and take the appropriate actions like close those alerts or mark as no action needed.
- securigeek1Copper Contributor
We are in the process of comparing the different SOAR solution in the market i.e Google Secops and Swimlane with respect to Logic Apps ( Sentinel) . The main findings that is comming up again and again is due to insufficient case management capabilities in Logic Apps it makes choosing microsoft stack for SOAR is a bad choice for a big COmpany like ours with more than 200,000 users and multi country presence. Can some one share their experience on this subject if they have lived through a similar scenario and what has been their exprience or finding ?
- G_Wilson3468Iron Contributor
So, I think you're asking how to create those books in Microsoft Sentinel. For any incident trigger you can go to Automation under the Configuration section in Sentinel. From there you can select "+ Create" and then assign an action such as running a playbook or adding a task etc. If you select to run a playbook you can select any active playbooks you have created. Additionally, there are playbook templates that will have what you want or will be close enough for you to modify to accomplish almost any task.
Here are the docs that will help.
Tutorial - Automate threat response in Microsoft Sentinel | Microsoft Learn